Contactless Cards Put Barclays Customers At Fraud Risk

Investigation reveals that 13 million Barclays contactless card users may be at risk of fraud

Up to 13 million users of Barclays’ contactless debit and credit cards could be defrauded using smartphones, a Channel 4 investigation has revealed.

Phones integrated with near field communication (NFC) technology can be adapted to collect sensitive data from cards with just a quick swipe.

Contactless theft

“All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name,” said Thomas Cannon of ViaForensics, a mobile phone security company which collaborated with Channel 4 in the investigation. “None of it was encrypted, it was simply a case of the details coming out through the air.”

Though ViaForensics could only access card details of Barclays’ Visa cards, The UK Card Association’s guidelines note that cardholder names should not be transmitted in contactless transactions.

“We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full,” Barclays said in a statement. “The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.”

The bank went on to say that retailers using contactless payments had been contacted to make checks to the system, though it claimed that the details obtained via smartphone should not be enough to commit fraud.

However, Channel 4 found that Amazon did not require the three-digit CVV code to purchase products. Despite being one of the biggest UK online retailers, it lacked this commonplace security measure and could therefore allow a fraudster to use credit/debit card details to set up an Amazon account without a card-registered address or name.

“We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary,” a Department for Business, Innovation and Skill spokesperson told Channel 4. “We are contacting the Payments Council, UK Cards and Barclays to get more details on the extent of the problem and to understand what urgent action is being taken to address it.”

Barclays and Visa have pioneered contactless payments in the UK, having already installed terminals in 56,000 locations. The pair has also announced plans to issue smartphones with NFC technology to Olympic athletes as part of the pair’s contactless payments push in the UK. Further large-scale plans may need to be put on hold now as security concerns are dealt with.

Great article and research Jiten – it’s a story that’s been waiting to be told. We’ve spent the past three years trying to raise awareness of the potential vulnerabilities associated with this new technology; although here in the UK some will argue we’re in denial. Our findings have been collated into a suit of (free to download) PDFs, which can be found at our main website: browser search for ‘RFID PROTECT RESOURCES’

Hope this information proves helpful in some way, and once again well done for breaking this story here in the UK.

We’ve had a tip off that Channel 4 will be bringing more news on this story later today. Watch this space!